[midPoint] Synchronizing Encrypted User Password

pdbogen at cernu.us pdbogen at cernu.us
Fri Sep 16 22:45:15 CEST 2016 

In case someone may benefit from this later, with Radovan's help (and a lot of 
googling) I managed to crack this. Here's what I ended up with for a mapping:

      <attribute>
        <ref>ri:encryptedPassword</ref>
        <outbound>
          <source>
            <path>$user/credentials/password/value</path>
          </source>
          <expression>
            <script>
              <includeNullInputs>false</includeNullInputs>
              <code>
                import java.io.ByteArrayOutputStream
                import java.io.ObjectOutputStream
                bos = new ByteArrayOutputStream();
                oos = new ObjectOutputStream(bos);
                oos.writeObject(value)
                bos.toByteArray()
              </code>
            </script>
          </expression>
        </outbound>
        <inbound>
          <target>
            <path>$user/credentials/password/value</path>
          </target>
          <expression>
            <script>
              <includeNullInputs>false</includeNullInputs>
              <code>
                import java.io.ByteArrayInputStream
                import java.io.ObjectInputStream
                import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType
                bis = new ByteArrayInputStream(input)
                ois = new ObjectInputStream(bis)
                basic.decrypt((ProtectedStringType) ois.readObject())
              </code>
            </script>
          </expression>
        </inbound>
      </attribute>

In English- the outbound mapping is triggered by a password change; it 
manually serializes the ProtectedStringType and writes the byte version out. 
The `encryptedPassword` field is part of a custom LDAP schema, defined like 
so:

  attributetype ( 1.3.6.1.4.1.48258.1.4 NAME 'encryptedPassword'
  DESC 'Midpoint-decryptable encrypted password'
  EQUALITY octetStringMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
  SINGLE-VALUE )

In turn, the inbound mapping receives the `value` on its input, which is 
exactly the byte array that was written out. It reverses the serialization, 
and then decrypts the password before feeding it back into the User password.

I think this ended up pretty elegant; I can't imagine it being _much_ shorter. 
Maybe the serialization and deserialization are good candidates for inclusion 
in BasicExpressionFunctions. It might also be nice if an inbound mapping for 
password/value *could* directly accepted a ProtectedStringType- it only 
accepts the plaintext password.

But, it works! Huzzah.

- Patrick
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160916/ebb3e5bb/attachment.sig>

More information about the midPoint mailing list